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Parameterised Boolean Equation Systems (PBESs) are sequences of Boolean fixed point equations 
with data variables, used for, e.g., verification of modal ^-calculus formulae for process algebraic 
specifications with data. 

Solving a PBES is usually done by instantiation to a Parity Game and then solving the game. 
Practical game solvers exist, but the instantiation step is the bottleneck. 

We enhance the instantiation in two steps. First, we transform the PBES to a Parameterised Parity 
Game (PPG), a PBES with each equation either conjunctive or disjunctive. Then we use LTSmin, 
that offers transition caching, efficient storage of states and both distributed and symbolic state space 
generation, for generating the game graph. To that end we define a language module for LTSmin, 
consisting of an encoding of variables with parameters into state vectors, a grouped transition relation 
and a dependency matrix to indicate the dependencies between parts of the state vector and transition 
groups. 

Benchmarks on some large case studies, show that the method speeds up the instantiation signific- 
antly and decreases memory usage drastically. 
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1 Introduction 

Parameterised Boolean Equation Systems (PBESs) are sequences of fixed point equations with data 
variables. They form a very expressive formalism for encoding a wide range of problems, such as the 
verification of modal /i-calculus formulae Ifl4l l6ll for process algebraic specifications with data (see, e.g., 
ifTOlfTTI ) and checking for (branching) bisimilarity of process equations Q. 

PBESs have been described extensively in |[TTI . A method for solving PBESs directly has been 
presented [10], but usually PBESs are solved by first instantiating the system to a plain Boolean Equation 
System (BES) and then solving the BES. Instantiation of PBESs is described in (HQS!, where clever 
rewriters and enumeration of quantifier expressions play an important role. We focus on instantiation to 
a Parity Game (PG), which is a restricted BES with equations that are either conjunctive or disjunctive. 
Although no polynomial time algorithm for solving parity games is known (however, the problem is 
known to be in NPflco-NP), effective parity game solvers exist (see, e.g., ||9l), especially when the 
alternation depth is low, and the instantiation step is currently the bottleneck of the whole procedure for 
many practical cases. 
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There are clear similarities between instantiation of PBESs and state space generation, a well known 
problem in model checking. In both, an abstract description gives rise to a large graph, which requires 
efficient storage of the generated graph. Also, in both we often have that the description consists of a 
combination of reasonably independent components or equations. This 'locality' can be used to speed up 
the generation of successor nodes. Inspired by these similarities, we apply in this paper optimisations from 
model checking to the PBES instantiation problem, devising a more efficient method. We use LTSmin, a 
language independent toolset for state space exploration which enables efficient state space generation 
and offers both symbolic exploration tools based on Binary Decision Diagrams (BDDs) and distributed 
exploration tools (see, e.g., 0). The tools make use of knowledge about the dependencies for better 
efficiency, which can be specified for every language in a separate language module. Instantiating PBESs 
to parity games in our enhanced method has two phases: 

1) Transforming the PBES into an equivalent system that consists of expressions that are either purely 
conjunctive or purely disjunctive. We call such a system a Parameterised Parity Game (PPG). The 
result of this operation is that any instantiation of the PPG will result directly in a parity game. 

2) Instantiating the PPG to a PG using LTSmin. To this end this we defined a PBES language module 
for LTSmin, in which we specify a state vector representation of instantiated PBES variables (and 
the corresponding node in the generated game graph) and the dependencies between (parts of) the 
equations and the parts of the state vector. 



Process 
equations 



/i-calculus 
formulae 




Figure 1: Overview of the verification approach, consisting of various transformations, an instantiation 
step, and available reductions and solvers. 

An overview of the method is shown in Figure[T] We consider PBESs in Bounded Quantifier Normal 
Form (BQNF), which is a subset of all PBESs, but any PBES can be rewritten automatically to a system in 
BQNF with the same solution. PBESs and their normal forms are described in Section|2j The contributions 
of this article are the transformation from BQNF to PPG and the instantiation from PPG to PG. Both steps 
are not trivial. We will explain here where the obstacles lie. 

In general, each system of PBES equations in BQNF can be transformed automatically into a system 
consisting of equations in PPG while preserving the solution. An equation can be transformed to PPG by 
introducing fresh equations for subexpressions and replacing the subexpressions by the corresponding 
variable. However, it is important not to separate quantifiers from the expressions that restrict the data 
elements that have to be considered, so called bounds. If a bound for a quantifier over an infinite data sort 
is replaced by a variable, the instantiator might generate an infinite number of successors for a node in the 
game graph. See Section [3] for our solution. 

For the instantiation step we implemented a PBES language module for LTSmin using the Partitioned 
Interface for the Next State function (PlNS). This includes partitioning each PBES equation into transition 
groups and defining a dependency matrix that specifies the dependencies between transition group and 
parts of the state vector. We then have a high-performance instantiation tool that offers both distributed 
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and symbolic generation of a parity game. This requires some delicacy, as splitting a formula too much 
may result in infinite computation (as in the transformation phase) and not splitting enough could result 
in a dependency matrix that is too dense, which ruins the effect of transition caching and symbolic 
computation. The implementation is described in Section |4| 

In Section[5]we present performance results for a number of case studies, comparing our sequential, 
distributed and symbolic implementations based on LTSmin to the existing PBES instantiation tools in 
the mCRL2 toolset. In almost all cases memory usage is orders of magnitude better for our tool. In all 
cases also the execution time is much better. 



2 Background 

In this section we will treat PBESs, normal forms for PBESs, and Parity Games. 
2.1 PBES 

Definition 2.1. Predicate formulae <p are defined by the following grammar: 

(p ::= b | X(e) | -up \ ip © ip \ Qd : D . ip 

where © £ {A, V, =^}, Q G {V, 3}, b is a data term of sort Bool, X G X is a predicate variable, d is a data 
variable of sort D, and e is a vector of data terms. We will call any predicate formula without predicate 
variables a simple formula. We denote the class of predicate formulae T . 
Definition 2.2. A First-Order Boolean Equation is an equation of the form: 

aX(d :D) = (p 

where a € {/i, v\ is a minimum (fi) or maximum (v) fixed point operator, d is a vector of data variables of 
sort D, and cp is a predicate formula. 

Definition 2.3. A Parameterised Boolean Equation System (PBES) is a sequence of First-Order Boolean 
Equations: 

£ = (a 1 X 1 (d 1 : Di) = (pi) ... (a n X n (d n : D n ) = ip n ) 

The semantics and solution of PBESs are described in, e.g., ifTTl . We say that two equation systems 
£\ and £2 are equivalent, written as £\ = £2, if they have the same solution for every variable that occurs 
in both systems. 

We adopt the standard limitations: expressions are in positive form (negation occurs only in data 
expressions) and every predicate variable occurs exactly once as the left hand side of an equation. A 
PBES that contains no quantifiers and parameters is called a Boolean Equation System (BES). A finitary 
PBES can be instantiated to a BES by expanding the quantifiers to finite conjunctions or disjunctions and 
substituting concrete values for the data parameters. Every instantiated PBES variable X(e) should then 
be read as a BES variable "X(e)". 

A one-to-one mapping can be made from a BES to an equivalent parity game if the BES has only 
expressions that are either conjunctive or disjunctive. The parity game is then represented by a game graph 
with nodes that represent variables with concrete parameters and edges that represent dependencies. Parity 



games will be further explained in Section 2.2 To make instantiation of a PBES to a parity game more 
directly we will preprocess the PBES to a format that only allows expressions to be either conjunctive or 
disjunctive. This format is a normal form for PBESs that we call the Parameterised Parity Game, defined 
as follows: 
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Definition 2.4. A PBES is a Parameterised Parity Game (PPG) if every right hand side of an equation is 
a formula of the form: 

AmA v ^-(*^ x ;(^)) I V* v V 3 *^-(# AX ;( e i))- 

where /j and are simple boolean formulae, and ej is a data expression. / and J are finite (possibly 
empty) index sets. 

The expressions range over two index sets / and J. The left part is a conjunction (or disjunction) of 
simple expressions f. L that can be seen as conditions that should hold in the current state. The right part is 
a conjunction (or disjunction) of a quantified vector of variables for next states Xj with parameters ej, 
guarded by simple expression gj. 

Before transforming arbitrary PBESs to PPGs we first define another normal form on PBESs to make 
the transformation easier. This normal form can have an arbitrary sequence of bounded quantifiers as 
outermost operators and has a conjunctive normal form at the inner. We call this the Bounded Quantifier 
Normal Form (BQNF): 

Definition 2.5. A First-Order Boolean formula is in Bounded Quantifier Normal Form (BQNF) if it has 
the form: 

BQNF ::= Vcfe D . £>=>■ BQNF | 3d£ D . bA BQNF | CONJ 

CON J ::= /\ f k a/\ W^ Di . ( 9i D\Sf) 
k&K iei 

D\Sf ::= \/ f a V \J 3^ Dij . ( 9ij A Xy (e£)) 
eeLi jeJi 

where b, fy, g^, and g^ are simple boolean formulae, and e~lj is a data expression. K, I, Li, and Jj are 
finite (possibly empty) index sets. 

This BQNF is similar to Predicate Formula Normal Form (PFNF), defined elsewhere^ in that 
quantification is outermost and in that the core is a conjunctive normal form. However, unlike PFNF, 
BQNF allows bounds on the quantified variables (hence bounded quantifiers), and universal quantification 
is allowed within the conjunctive part and existential quantification is allowed within the disjunctive 
parts. These bounds are needed to avoid problems when transforming to PPG. Consider the expression 
(Vi : N . (i < 5) => Y(i)) V (3j : N . (J < 3) A Z(j)). Rewriting to PFNF (moving the quantifiers outward) 
results in 3j : N . Vi : N . ((i < 5) Y(i)) V ((j < 3) Z(j)). Rewriting that expression to PPG would 
split the expression such that the initial expression is 3j : N . Xi(j) (Xi is a newly introduced variable 
for the equation with the remainder of the expression as right hand side), which would result in an 
infinite disjunction when instantiating the PPG. BQNF allows the original expression to be rewritten to 
3j : N . (j < 3) A Vi : N . (i < 5) =>■ (Y(i) V Z(j)) with the bounds close to the quantifiers, which allows 
to split the expression after the bound, preventing the instantiation to result in an infinite expression. 
Requiring that a system is specified in BQNF does not limit the expressiveness, as each PBES can be 
transformed into a equivalent system in PFNF that has the same solution and PFNF is a subset of BQNF. 

The translation from process algebraic specifications in mCRL2 and ^-calculus formulae to PBESs is 
given in iflOl and is illustrated by the following example. Throughout the paper we expect the reader to 
know process algebras and to be able to read mCRL2 specification^] 



1 A transformation to PFNF is implemented in the pbesrewr tool and documented at http : //www . win . tue . nl/mcrl2/ 



wiki/index.php/Parameterised_Boolean_Equation_Systems 

— ti 



See http : / /mcrl2 . org for documentation on the mCRL2 language. 
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Example 2.6 (Buffer). Consider the specification of a simple buffer with a capacity of 2. 
sort D = struct d\ | act ri,S4 : D; 
proc Buffer^ : List(D)) = ^ (#q < 2)^r 1 (d) . Buffered) 

d:D 

+ ( q / []) ^s 4 (head(g)) . Buffer(tail(g)); 

init Buffer([]); 

The specification consists of sort and action definitions, process specifications where alternatives are in 
summands and an initial state. On the first line an enumerated data sort D is introduced with data values 
d\ and di, and the actions ri and S4 are specified, both having a data parameter of type D. A process 
Buffer is specified that has a data parameter q, which is a list of elements of type D. The process consists 
of summands, separated by the +-operator. Each summand may start with a summation over a data set, 
followed by a guard that is closed with a — >, then an action, followed by a call to the process that describes 
the behaviour after the action, typically a recursive call to the process itself with different parameters. 

The first summand specifies that any element d can be added to q by the action ri (d) if the size of the 
internal buffer q is smaller than 2. The second summand specifies that if q is not empty, elements can be 
popped by the action s^head^)). The initial state of the system is the Buffer process with an empty list 
in this case, which models that initially the buffer is empty. 

We can check the specification for absence of deadlock, which is expressed in ^-calculus as follows: 

[T*] (T) T (which is syntactic sugar for: uX . (T) T A [T] X) 

which reads: after any sequence of actions ([T*]), always some action is enabled ((T) T). Satisfaction of 
the formula by the specification, translated to a PBES, looks as follows: 

sort D = struct d\ \ d2] 

pbes uX(q : List(D)) = {q ^ []) V {#q < 2) 

A(g^0)=>X(ta%)) 
AV rf€D .(# ? <2)^X(g< t |); 

init X(Q); 

This PBES is true if from the initial state X([]) an element can be added to q if #q is smaller than 2, an 
element can be popped from q if it is not empty and any of these actions is enabled (q / [] or j^q < 2, 
which is obviously true for any q). The same has to hold for the successor states (X with an element added 
to, respectively popped from q as parameter). The solution of the PBES is true. 

Remark. The equation system in the example above is already a PPG, which is no coincidence as any 
system when combined with the absence of deadlock property will result in a PBES in PPG form because 
of the form of the formula: a conjunction of "we can do an action now" (a disjunctive expression without 
recursion) and "for all possible actions the property holds in all next states" (universal quantification 
with recursion). Note that checking the absence of deadlock property is almost the same as standard 
reachability analysis. 

Definition 2.7 (Block). A PBES is divided into blocks, which are subsequences of equations with the 
same fixed point operator such that subsequent equations with the same fixed point operator belong to the 
same block. 

2.2 Parity Games 

A parity game is a game between two players, player (also called Eloise or player even) and player 
1 (also called Abelard or player odd), where each player owns a set of places. On one place a token is 
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placed that can be moved by the owner of the place to an adjacent place. The parity game is represented 
as a graph. We borrow notation from [6] and ifTSll . 

Definition 2.8 (Parity Game). A parity game is a graph Q = (V,E, Vq, Vi,vi,Q), with 

• V the set of vertices (or places or states); 

• E : V x V the set of transitions; 

• Vo ^ V the set of places owned by player 0; 

• Vi C V the set of places owned by player 1; 

• vi G V the initial state of the game; 

• Q : V — > N assigns a priority U(v) to each vertex v G V; 

where V UV l = V and V n Vi = 0. 

The nodes in the graph represent the places and correspond to the instantiated variables from the 
equation system. The edges represent possible moves of the token (initially placed on vi) and encode 
dependencies between variables. A node does not necessarily have outgoing transitions, i.e., deadlock 
nodes are allowed. In the parity game, player owns the nodes that represent disjunctions, player 1 the 
nodes that represent conjunctions. 

The node priorities correspond to the number of the block to which the corresponding variable belongs 



(see Def. 2.7 1, such that variables in earlier blocks have lower priorities, ^-blocks have even priorities, 
/i-blocks have odd priorities and the earliest /x-block has priority 1. The following table shows an intuitive 
overview of the relations between BESs and parity games. 



v blocks Even priorities (0, 2, 4, ... ) 

H blocks Odd priorities (1, 3,5,...) 

V, 3, () Player 0, 31oise, Even, Prover 

A, V, [] Player 1, Vbelard, Odd, Refuter 



The values true (T) and false (_L) are represented as a node with priority 0, player 1 and a transition to 
itself, and a node with priority 1 , player and a transition to itself, respectively. 

A play in the game is a finite path tt = v qV\ ■■■v r G V + ending in a deadlock state v r or an infinite 
path tt = vovi ■ ■ ■ G such that (i>j, v G E for every Vi G tt. Priority function Q extends to plays in 
the following way: Q(ir) = £1(vq)Q(vi) • • • . Inf (p) returns the set of values that occur infinitely often in a 
sequence p. 

Definition 2.9 (Winner of a play). Player is the winner of a play tt if 

• 7r is a finite play vqVi ■ ■ ■ v r G V + and v r G V\ and no move is possible from v r ; or 

• 7r is an infinite play and min(Inf (Q,{ir))), the minimum of the priorities that occur infinitely often 
in tt, is even. This is called the min-parity condition. 

Definition 2.10 (Strategy). A (memoryless) strategy for player a is a function f a : V a — > V. A play 

tt = vqVi • • • is conform to f a if for every Vi G tt, Vi eV a ^ v i+1 = f a (vi). 

Definition 2.11 (Winner of the game). Player is the winner of the game if and only if there exists a 
winning strategy for player 0, i.e., from the initial state every play conforming to the strategy will be won 
by player 0. 

The model checking problem is encoded as a PBES (see ifTOll ) which is instantiated to a parity game 
(see lfT6l ) such that player is the winner of the game iff the property holds for the system. 
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Solving Parity Games Solving a parity game means finding a winning strategy for one of the players. 
Various algorithms exist, such as the recursive algorithm by Zielonka EUl and Small Progress Measures 
by Jurdziriski [13], with a multi-core implementation in ifTSl . An overview and performance comparison 
of the algorithms are given in (3. 



3 Transformation from BQNF to Parameterised Parity Games 

In order to automatically transform a PBES to a PPG, we define a transformation function s from BQNF 
to PPG. The transformation rewrites expressions that contain both conjunctions and disjunctions to 
equivalent expressions that are either conjunctive or disjunctive, by introducing new equations for certain 
subformulae and substituting calls to the new equations for these subformulae in the original expression. 
The function t below replaces an expression by a call to a new equation if the expression is not already a 
variable instantiation. The function t' introduces a new equation for an expression if needed. 

tiXj^h , if^oftheformX'(e), 
\X(d) otherwise; 

j i v i* \ def J if f is of the form X'(e), 

t [a, A, a, if) = < -, 

I s(aX(d) = ip) otherwise. 

For brevity, we leave out the types of the parameters. A tilde is used to introduce a fresh variable: X. For 
equation system £ = (crXi (di) = £i) ... (crX n (d n ) = £ n ) , with each £j in BQNF, the translation to PPG 
is denned as follows: 

s{£) =s(aX 1 (d 1 )=Ci) ... s(aX n (d n ) = Q 

s{aX(d) = f) =<jX(d) = f 



s (aX(d) =Vv.b^p) = (aX(d) =yv.b^t(X, d + v, tp) 

t'(a,X,d + v,ip) 

s ( a X(d) = 3v . b A if) = (aX{d) = 3v.bAt(X, d + v, (p)\ 

t'(a,X,d + v,ip) 

s (aX(d) = /\ keK f k 

d f / "~ * 



t'(a,Xi,d + vi,(fi) ... t'(a,X m ,d + 



s(aX(d) = \J k< - K f k 



VV i67 (3 ffi . 9i A<pij) ={crX(d) = \J keK f k 

vV iG/ (3^ .giAtiX^d + Vi,^))^ 

t'(a,Xi,d+vi,(fi) ... t'(a,X m ,d + 

with I = l...m, vC\d = $ (variables in v do not occur in d), b, f, f k , g% are simple formulae, ip, tpi are 
formulae that may contain predicate variables. 
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Proposition 3.1. The transformation s is solution preserving, i.e., for any £ in BQNF, s(£) = £: bound 
variables X(d) have the same solution in s(£) as in £. 

Proof. Every change made by s to an equation erX = £ is a substitution of a subexpression ip by a fresh 
variable X, while adding at the same time a new equation crX = ip in the same block as X. We can apply 
backward substitution (using iTTTl Lemma 18]) s(aX = £)[X := 99] for every substitution caused by the 
transformation to get the original equation system (plus an unused equation s(aX = ip) for every fresh 
variable X). From that we can conclude that s{£) =£. □ 

Example 3.2 (Example of the transformation). We combine the buffer from Example |2.6| with the property 
that in every state both t\ and S4 actions are enabled: 

uX.(3 d .. D .(r 1 (d))X)A{3 d:D .(s A (d))X) 

The resulting PBES has an equation which does not conform to the PPG form, but is in BQNF: 
sort D = struct d\ \ d 2 \ 

pbes vX(q : List(D)) = (3 d:D . (#g < 2) AX(g<d)) 

A{3 d .. D . (head(g) = d) A (q + []) AX(tail(g))) ; 

ink X([]); 

The transformation s replaces both conjuncts by a fresh variable and adds equations for these variables 
with the substituted expression as right hand side, resulting in equations: 

pbes vX{q : List(Z))) = X x (q) AX 2 (q); 

uX!(q : List(TJ)) = 3 d:D . (#q < 2)AX(q<d); 

uX 2 (q : List(TJ)) = 3 d:D . (head(g) = d)A{q^ []) AX(tai%)); 

The first equation is purely conjunctive, while that latter two equations are (guarded) disjunctive. 

4 Instantiation of Parameterised Parity Games 

We view the instantiation of PPGs to Parity Games as generating a transition system, where states are 
predicate variables with concrete parameters and transitions are dependencies, specified by the right hand 
side of the corresponding equation in the PPG. 

Example 4.1. Consider the equation: 

vX{d :D) = (d>0Ad< 10) ^X(d- 1) AX(d+ 1) 

If X(5) is the initial value, its successors are X(4) and X(6), so the graph starts with a node owned by 
player 1 representing X(5) with transitions to nodes X(4) and X(6). 

4.1 LTSmin 

We use the tool LTSmin to generate a parity game given a PPG. LTSmin is a language independent 
tool for state-space generation [5]. Different language-modules are available, which are connected to 
different exploration algorithms through the so-called PlNS-interface. This interface allows for certain 
language-independent optimisations, such as transition caching and distributed generation (see |4]), and 
an efficient compressed storage of states in a tree database (see [2]). Also symbolic reachability analysis 
is possible, where the state space is stored as a Binary Decision Diagram (BDD) 0. 
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4.1.1 Partitioned Interface for the Next State function 

LTSmin uses a Partitioned Interface for the Next State function (PlNS), where states are represented as a 
vector (xi,X2, ■ ■ ■ ,xm) with size M that is fixed for the whole system (to be determined statically). These 
values are stored in a globally accessible table, so that the states can also be represented as a vector of 
integer indices {i\,i2,- ■ ■ ,«a/)- The PlNS interface functions on this level of integer vectors, so that each 
tool can really be language-independent. Throughout the text we will often use value vectors instead of 
index vectors for better readability. 

For a system with a state vector of M parts, the universe of states is S = N M . For each language 
module a transition function Next : S — > V(S) has to be defined that computes the set of successor 
states for a given state. This transition relation is preferrably split into transition groups in order to reflect 
the compositional structure of the system, by defining a function Group-Next :SxN-)> V{S) that 
computes successors for state s as defined in group k. Suppose we have K transition groups. Next can 
then be defined as 

K 

Next(s) = Group-Next(,s,/c) 

fc=i 



4.1.2 Dependence 

An important optimisation comes from the observation that not all parts of the state vectors are relevant 
in every transition group. To indicate the relevant parts of the vector for each of the transition groups, 
LTSmin uses a dependency matrix, which has to be computed statically. 

Definition 4.2 (PlNS Matrix: HJ, Def. 4). A dependency matrix DkxN = DM(P) for system P is a 
matrix with K rows and N columns containing {0, 1} such that if D^^ = then group k is independent 
of element i. 

For any transition group 1 < k < K, we define 7Tfc as the projection -k^ : S — > n| 1<i<Ar | Dfc = i}5i- 

Independence here means that for given transition group k the transitions do not depend on part i of 
the state vector (read independence) and the transitions do not change part i of the successor state vector 
(write independence) or that part i is irrelevant in both the current state and all successor states. Irrelevant 
here means that changing the value of that part would still result in a bisimilar state space. For a more 
precise definition, see iTTTl Def. 9]. This definition of independence is slightly more liberal than the one in 
HI in that we added this notion of relevance. 



4.1.3 Transition caching 

One way of exploiting the dependency information in the matrix is by using transition caching. Only 
the dependent parts of the transition are stored in a cache for every group k by using the projection 



function iTk, as described in |4] and shown in Alg. 4.1 This way time is saved, because caching of 



transitions avoids calling Group-Next at every step. The density of the matrix has great influence on 
the performance of caching and of the symbolic tools. 



4.2 PBES Language Module 

In this section we describe states, transition groups and the dependency matrix for PPGs. We assume to 
have a rewriter simplify that is powerful enough to evaluate any closed data expression to true or false or 
to a disjunction or conjunction of predicate variables with closed data expressions as parameters. We use 
the same rewriter by Van Weerdenburg |fl9l as used in |[T6l . 
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Algorithm 4.1 Next-Cache(s, k) computes successors of s for group k using a cache. 

Next-Cache(s, k) Update-Cache(s, k) Next-Apply(s, t, k) 



1 


Update-Cache(s, k) 


1: 


if 7r fc (s) ^ dom(Cfc) then 


1 




2 


S:=0 


2: 


S:=0 


2 


for 1 < i < N do 


3 


for all t e Cfc[7Tfc(s)] do 


3: 


S' := GROUP-NEXT(s,fc) 
for all s' e 5' do 


3 


if D fe j = then 


4 


t' := NEXT-APPLY(s,t,fc) 


4: 


4 


s'\i] :=s[i\ 


5 


Add t' to 5 


5: 


Add7r fe (s') to S 


5 


else 


6 


return S; 


6: 


Cfe[7Tfe(s)] : = S 


6 
7 

8 


s'\i] :=t\j] 
j=j + l 
return s'; 



4.2.1 States and transition groups 

For PPGs, the state vector is partitioned as follows: (X,x±,X2, ■ ■ ■ ,xm), where X is a propositional 
variable, and for ig{l... M} each Xi is the value of parameter i. M is the total number of parameter 
signatures in the system (consisting of name and type). 

We assume the existence of a function priority : S — > Int that assigns a priority to each state (based on 
the block of the corresponding equation) and a function player : S — > {0, 1} that assigns a player to each 
state (0 if the corresponding expression is a disjunction, 1 if it is a conjunction). In particular, the true 
state has priority and is owned by player 1 and the false state has priority 1 and belongs to player 0. 

The equations in the PPG specify the transitions between states. The right hand side of the equation 
is split into conjuncts or disjuncts if possible, which form the transition groups, which are numbered 
subsequently. We use a mapping var : Int — > X from group number to variable and a mapping expr : Int — > 
T from group number to corresponding conjunct or disjunct. In the following we assume the index sets / 
and J to be disjoint. 

For a sequence of equations of the form 

aX(d: D) = f\f i Af\WeD j . ( 9j (d, v) X, ( ej (d, v))) , 
iei jeJ 

for each i £ I there is a group k with expr(k) = /j and for each j G J there is a group k with 

expr(fc) = \/v G Dj . (gj(d,v) ^Xj(ej(d,v)), 
and var(/c) = X. Symmetrically for disjunctive equations. 

Example 4.3. We will explain these concepts using a specification of two sequential buffers (buffer . 2): 

proc ln(i : Pos,^ : List(L')) = ^ (#q < 2) -^-ii(d) . \n(i,q<d) 

d-.D 

+ (q^[])^w(i + l,head(q)) . In(z,ta%)); 
proc Out(i : Pos,q : List(D)) = ^ (#q < 2)->r(i,d) . Out(i,q«f) 

d:D 

+ (Q^ Q)->S4(head(g)) . Out(i,ta%)); 
init hide({c},allow({ri,c,S4},comm({w | r — > c}, ln(l, []) || Out(2, []) ))); 

The specification of the initial state the system is specified as composed of an In and an Out component, 
composed with the parallel composition (||) operator. Synchronisation of r and w actions of the two 
processes proceeds in two steps. The simultaneous occurence of actions r and w (the multi-action w | r) is 
renamed to c (comm) and separate occurances of r and w are ruled out by the restriction operator (allow). 
The internal action c is hidden (hide). This specification is translated to a single process by linearising it 
to Linear Process Specification (LPS) format. The result is the following specification: 
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proc P(qin,qout ■ List(D)) = ^ (#q in < 2)-^n(d) . P(qi n <d,q out ) 

d:D 

+ {(lout [])->■ s 4 (head(g out )) . P(q in ,tail(q out )); 

+ (<lin [}^#Qout < 2)-»tau . P(tail(qi n ),q ou t<head(q in )) 

+ delta; 

ink P(D,0); 

The result of hiding the c action is the internal tau transition in the third summand. Actions that are not in 
the set {ri , c, S4} are replaced by a delta as a result of the restriction operator. 

For this process specification, we want to verify the property that if a message is read through ri , it will 
eventually be sent through s 4 : 

uY. (W:D. ([ri(d)] (fJ,X . ((true) true A [-184(d)] X)))) A [true] Y 

Satisfaction of this formula by the LPS translates to the following PBES: 

pbes vY(qin,q ut ■ List(D)) = 

(Vd:D • (#<7m < 2)=>X(q in <d,q out ,d)) (1) 
A(V d():D • (#<7m < 2) =>Y(qin<d ,q ou t)) (2) 
A ((gout + \\)^Y(qinMKQcmt))) (3) 
A ((gin + [} A#g ou < < 2)^Y(tail(g in ),g out <]head(gi n ))); (4) 
fjX(q in ,q out : List(D),d : D) = 

(#q in < 2) V (q out / [] ) V (g; n / [] A #g ou t < 2) (5) 
A(V do:D • (#<?m < 2)^X(gi n <d ,goMt,d)) (6) 
A((head(gw) / d)A(q out / []) =^X(g in ,tail(g ou4 ),d)) (7) 
A ((gin / [] A#g ou t < 2) ^X(tail(gi„),g out <head(g in ),cf)); (8) 

init Y(D,[]); 

For this equation system, the structure of the state vector is (X,qi n ,q ou t,d). The initial state would be 
encoded as (Y, [], [],0). Since the initial state has no parameter d, a default value is chosen. The numbers 
[l]-[8]behind the equation parts denote the different transition groups, i.e., each conjunct of a conjunctive 
expression forms a group. For instance, for group [3] the associated expression is exprQ = ((qout 
[]) Y(gj n ,tail(g ou t))) and it is associated with variable varQ = Y. Group [T] encodes the [ri(d)]<^ 
part of the formula (where ip is the fiX part of the formula), groupsjfl-p] encode the [true] Y part, group 
[5]encodes that a transition is enabled ((true) true), and groups [6]-[8jencode the cases that not an r 4 (d) 
transition is taken. 

For an equation aX(d : D) = ip, let params(X) be the list of parameters d and params(X)j the i-th 
element of that list. The next state function Group-Next is defined as follows. For every k with 
var(fc) = X, 



GROUP-NEXT(X(e), k) = f 



{simplify(f[params(X) := e])} 

if / = expr(fc) is a simple formula; 
{X'(h(e,v))\veDAg(e,v)} 

if expr(fc) is of the form Qv G D . (g(e,v) © X'(h(e,v)) 



G. Kant&J.C. van de Pol 



61 



Note that if / is a simple expression, simplify (/[params(X) ■= e\) will result in either true or false. In the 
case that / is not simple, all concrete variable instantiations are enumerated for every quantifier variable v 
for which the guard g is satisfied. 

Example 4.4. For the example above, GR0UP-Next(Y([], |])[3j) yields the empty set because q out = []. 
Group-Next(Y([], []){2]) results in {Y([d!], []),Y([d 2 ], [])}. 

4.2.2 Dependency matrix 

Let occ(p) be the set of propositional variable occurring in a term <p, let free(d) be the set of free data 
variables occurring in a data term d, and used (99) the set of free data variables occurring in an expression 
tp such that the variables are not merely passed on to the next state. E.g., with X(a,b) = £, for the 
expression ip = a A X(c, b), used(p) = {a, c}. Parameter b is not in the set because it does not influence 
the computation, but is only passed on to the next state. For a formula ip, the function changed (99) 
computes the variable parameters changed in the formula: 

def 

changed (X(ei, . . . ,e m )) = {di | i G {1 . . .m} Adi = params(X)j A e» 7^ d;} 

The function tf (ip) determines if ip contains a branch that directly results in a true or false (not a variable). 
This is needed because the boolean constants are encoded as a vector with variable names "true" and 
"false", hence a transition to one of them changes the first part of the state vector. For group k and part i, 
we define read dependence d R and write dependence dw- 



d R (k,i) = 



dw{k,i) 



true if % = 1; 

I pi G (params(var(/c)) n used(expr(/c))) otherwise. 

def J (occ(expr(A;)) \ {var(fc)} ^ 0) V tf (expr(fe)) if i = 1; 
1 Pi £ changed (expr(fc)) otherwise. 

dji(k, 1) is true for every group k, since the variable has to be read to determine if a transition group is 
applicable. 

Definition 4.5 (PPG Dependency matrix). For a PPG P the dependency matrix DM(P) is a K x M 
matrix defined for 1 < k < K and 1 < i < M as: 

f + if dn(k,i) Ad\y(k,i); 
DMir >r if d R (k,i) A^d w (k,i); 

w if -*dii(k,i) Adw(k,i); 
— otherwise. 

Example 4.6. For the PBES in Example |43j the dependency matrix looks like this: 

The first row lists the state vector parts. The left column lists the 
group numbers. A '+' denotes both read and write dependency, 
'w' denotes write dependency, V read dependency, and '— ' no 
dependency between the group and the state vector part. For group 
[T]we can see that the variable is changed from Y to X, which results 
in a '+' in the X column. The qi n parameter is both read and 
changed (d is added to it). The q out parameter is not touched, which 
results in a ' — '. The parameter d is not in params(Y) and therefore 
there is no read dependence. However, the value of d is set for the 
next state, resulting in a 'w' in the last column. 



k 


X 


Qin 


Qout 


d 


1 


+ 


+ 




w 


2 


+ 


+ 






3 


+ 




+ 




4 


+ 


+ 


+ 




5 


+ 


r 


r 




6 


+ 


+ 






7 


+ 




+ 


r 


8 


+ 


+ 


+ 
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5 Performance Evaluation 

In this section we report the performance of our tools compared to existing tools in the mCRL2 toolset. 
5.1 Experiment setup 

As input we used PBESs that are derived from the following mCRL2 models: n sequential buffers 
(buffer-*), the Sliding Window Protocol (SWP), the IEEE 1394 protocol, a Sokoban puzzle, and state 
machines that are part of the control system for an experiment at CERN (wheel_sector), described in 
|[12"1 . The models are combined with ^-calculus properties that check absence of deadlock (nodeadlock, 
see Example |2.6[ ), if x is read, then eventually x will be written (evt_send, see Example |4. 3 ) , or that from 
the initial state there is a path on which a push action is possible (always_push: (true*) (push) true - 
only applicable to the Sokoban puzzle). 

As preprocessing steps, we applied pbesparelm and pbesrewr -psimplify to every equation 
system, which are rewriters that apply some obvious simplifications to the equation systems. In the 
reported cases no transformation to PPG was needed, as the systems were already in the required form. 

The tools that we compared are: 



Tool 


Toolset 


Groups 


Caching 


Distributed 


Symbolic 


Command 




pbes2bes 


mCRL2 










pbes2bes -rjittyc 




pbespgsolve 


mCRL2 










pbespgsolve -rjittyc -g 




pbes21ts -black 


LTSMIN 


no 


no 


no 


no 


pbes21ts-grey --black --always 


-split 


pbes21ts -grey 


LTSmin 


yes 


no 


no 


no 


pbes21ts-grey --grey --always- 


split 


pbes21ts -cache 


LTSmin 


yes 


yes 


no 


no 


pbes21ts-grey -rgs -c --always 


-split 


pbes21ts-mpi-* 


LTSmin 


yes 


yes 


yes 


no 


pbes21ts-mpi -rgs -c --always- 


split 


pbes-reach 


LTSmin 


yes 


no 


no 


yes 


pbes-reach --order=chain-prev 
--saturation=sat-like 
--save-levels -rgs 
- - always - spl it 





It is indicated whether transition groups, caching, distributed generation or symbolic generation are 
available. pbes2bes and pbespgsolve from the mCRL2 toolset are similar in functionality, but different 
in implementation. For pbespgsolve the -g option means only generating the parity game without 
solving. For the LTSmin tools pbes21ts-* and pbes-reach the option -rgs enables regrouping, -c 
enables caching, and --black disables the use of transition groups, pbes-reach uses the sat-like 
saturation strategy. 

The experiments were performed on a cluster of 10 machines with each two quad-core Intel Xeon 
E5520 CPUs @ 2.27 GHz (with 2 hyperthreads per core) and 24GB memory. Every tool was given a 20 
GB memory limit and a 10 ks time limit. Elapsed time and memory usage have been measured by the tool 
memtime. The experiments were executed using Linux 2.6.34, mCRL2 svn rev. 10785 and for LTSmin 
the git rev. after commit 4dllbc20 in the experimental 'next' branch. The tools were built using GCC 
4.4.1. Open MPI 1.4.3 was used for the distributed tool. 
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Table 1: Time performance in seconds. 'T' indicates a timeout, 'M' out of memory. 



rH rl 10 -H -H -H 

a) xi bo o ix ix ix 

> i i i a a a xs 

rH III O 

wo w w w www td 







a) 


w 
to 

cx 


p 


p 


p 


■p 


p 


p 


CD 






XI 
CM 


rH 
CN 


rH 

CN 


rH 

CN 


rH 
CN 


rH 

CN 


rH 

CN 




Equation system 


# States 




pbes 


pbe£ 


pbe£ 


pbe£ 


pbe£ 


pbe£ 


pbe£ 




swp .nodeadlock 


1,862 


5 


5 


5 


5 


5 


5 


5 


5 


5 


swp . evt_send 


33,554 


7 


7 


8 


11 


5 


5 


5 


8 


5 


1394. nodeadlock 


173,101 


199 


202 


231 


1,387 


120 


125 


56 


73 


114 


sokoban. 372 . always_push 


834,397 


69 


78 


258 


T 


403 


419 


182 


62 


31 


buffer . 7 . nodeadlock 


823,545 


32 


33 


48 


76 


13 


16 


9 


7 


9 


buffer . 7 . evt_send 


2,466,257 


111 


107 


157 


266 


22 


27 


13 


11 


9 


buffer . 8 . nodeadlock 


5,764,803 


235 


237 


357 


594 


82 


93 


31 


20 


37 


buffer . 8 . evt_send 


17,281,283 


820 


859 


1,256 


2,171 


158 


191 


71 


67 


42 


buffer . 9 . nodeadlock 


40,353,607 


1,059 


M 


2,937 


4,905 


571 


686 


241 


197 


274 


buffer . 9 . evt_send 


121,021,455 


M 


M 


T 


T 


1,172 


1,448 


520 


306 


282 


wheel_sector . nodeadlock 


4,897,760 


T 


T 


T 


T 


2,337 


2,368 


828 


939 


1,904 



Table 2: Memory usage in MB. 'T' indicates a timeout, 'M' out of memory. 



M a) 

O XI H ^ CO 

cd CD O I I I 

rH U IS 'H -H -H 

0) X! hO O 0,0,0, 

> i i i a a a xs 

rH I I I O 

w oww w w w wtd 

0) WPP p p p p CD 

XI bOi-HrH rH rH rH rH>H 

CN &,CNCN CN CN CN CNI 

W WWW W W W WW 

CD CDCDCD CD CD CD CDCD 

X1X1X1X1X1X1X1X1X1 

Equation system # States ix 0,0,0, o, a, o, tx ix 



swp .nodeadlock 


1,862 


12 


11 


17 


17 


16 


13 


15 


14 


16 


swp . evt_send 


33,554 


58 


29 


20 


20 


18 


15 


15 


16 


47 


1394. nodeadlock 


173,101 


227 


168 


31 


30 


89 


86 


60 


50 


57 


sokoban. 372 . always_push 


834,397 


1,187 


768 


34 


T 


220 


217 


69 


45 


47 


buffer . 7 . nodeadlock 


823,545 


965 


354 


32 


32 


91 


89 


36 


27 


49 


buffer . 7 . evt_send 


2,466,257 


3,340 


1,215 


63 


64 


181 


179 


67 


43 


49 


buffer . 8 . nodeadlock 


5,764,803 


7,179 


2,579 


117 


117 


528 


525 


145 


81 


49 


buffer . 8 . evt_send 


17,281,283 


18,136 


9,056 


345 


345 


1,155 


1,152 


377 


204 


49 


buffer . 9 . nodeadlock 


40,353,607 


18,451 


M 


737 


737 


4,129 


4,127 


1,048 


538 


49 


buffer . 9 . evt_send 


121,021,455 


M 


M 


T 


T 


9,209 


9,206 


3,003 


1,487 


49 


wheel_sector . nodeadlock 


4,897,760 


T 


T 


T 


T 


1,288 


1,285 


389 


238 


90 
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5.2 Results 

Results are in Tables [T] (time performance in seconds) and [2] (memory usage in MB). For the MPI tool, 
the values are the maximum for the workers. The 'T' indicates a timeout, the 'M' indicates an Out of 
Memory error. We can make the following observations. 

From the results we see that pbes2bes and pbespgsolve from the mCRL2 toolset perform better 
than pbes21ts -black, the LTSmin based tool without any optimisation. The memory performance of 
the LTSmin tool however is much better, even over 25 times better in the case of buffer . 8 . evt_send. 

Looking at pbes21ts -grey we observe that only splitting into transition groups without any 
optimisations has a negative impact on the performance, especially in the case of 1394 . nodeadlock. 

The LTSmin tools have a relatively bad performance for the Sokoban puzzle, because of the structure 
of always_push: either "we can do a push now" or "we move and take a recursive step". If this formula 
is evaluated as a whole on a state where we can do a push, the first part will immediately evaluate to true 
and the formula as well, without taking the recursive step. When the formula is split into transition groups, 
then both parts may be evaluated independently. Although the second part is not needed, such on-the-fly 
solving optimisations are not available in the PBES language module yet when transition groups are 
enabled. This causes LTSmin to generate a state space of 10,992,856 states (instead of 834,397), but still 
the symbolic tool of LTSmin, pbes-reach, is the fastest. 

Transition caching pays off for many systems. Compared to the mCRL2 tools, the speedup is between 
1.8 and 5.1 for the sequential buffers and for wheel_sector the instantiation is completed within the 
timebound. The distributed tool does not scale well. The speedup with 8 workers compared to 1 worker 
is 6.8 for the Sokoban puzzle, but does not exceed 4.7 for the sequential buffers, and is only 2.5 for the 
wheel_sector case. In the wheel_sector and 1394 cases the execution time for 8 workers is even 
worse than with 4 workers, indicating that there is a limit to the number of workers that result in a further 
speedup. 

The symbolic tool performs best of all sequential tools in all cases. The tool is up to 19.5 times faster 
than the fastest tool from the mCRL2 toolset (in the buffer . 8 . evt_send case). And for some cases 
LTSmin could finish within memory and time bounds, whereas the mCRL2 tools could not. Memory 
usage of pbes-reach is slightly worse in the smallest cases, but up to more than 180 times better than 
the mCRL2 tools for the other cases. 

6 Conclusions 

We have defined PPG as normal form for PBESs and a transformation to PPG, making the instantiation to 
parity games more straightforward. We implemented a PBES language module for LTSmin. As a result, 
the high-performance capabilities for state space generation become available for parity game generation. 
We demonstrated this for distributed state space generation and for symbolic state space generation. 

Experimental comparison to existing tools shows good results. The LTSmin tools reduce memory 
usage enormously. Transition caching, distributed computation and the symbolic tool speed up the 
instantiation in all reported cases. However, the distributed tool does not scale well. For all reported cases, 
the symbolic LTSmin tool performed the best, with up to 19 times speedup and up to more than 180 
times lower memory usage compared to the mCRL2 tools. 

We intend to extend the tool with optimisations, such as on-the-fly minimisation and solving, i.e., 
while generating the parity game (possibly also distributed). Furthermore, the symbolic tool generates a 
BDD representation of the parity game, which asks for solvers that can deal with such symbolic parity 
games similar to the tool by |T). 
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